Don't read private key files for offline KSKs

When we are appending contents of a DNSKEY rdataset to a keylist,
don't attempt to read the private key file of a KSK when we are in
offline-ksk mode.

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 98657d8631d63cf6e755e48c906312a22f435cc4..e4f3499bbc3136432b6b9f60b227d4af72d82e23 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1599,6 +1599,13 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
                }
                RETERR(result);
 
+               if (kasp != NULL && dns_kasp_offlineksk(kasp) &&
+                   (dst_key_flags(dnskey) & DNS_KEYFLAG_KSK) != 0)
+               {
+                       result = ISC_R_NOPERM;
+                       goto addkey;
+               }
+
                /* Now read the private key. */
                result = keyfromfile(
                        kasp, directory, dnskey,
@@ -1664,6 +1671,7 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
                                      filename, isc_result_totext(result));
                }
 
+       addkey:
                if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
                        if (pubkey != NULL) {
                                addkey(keylist, &pubkey, savekeys, mctx);

diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 7a6c5b5bc983e522415003e97becd39dce0f5470..3525672dcff5313301e144d82407bbc6a3d539fe 100644 (file)
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -325,6 +325,9 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
  * 'keysigs' and 'soasigs', if not NULL and associated, contain the
  * RRSIGS for the DNSKEY and SOA records respectively and are used to mark
  * whether a key is already active in the zone.
+ *
+ * Private key files for keys with the KSK role are skipped if kasp is in
+ * offline-ksk mode.
  */
 
 isc_result_t